CLAIMS 



1 1 . A method for enforcing a plurality of different policies on a stream of packets, the 

2 method comprising: 

3 receiving a packet; 

4 determining whether the packet corresponds to a common condition for a first policy rule 
% and a second policy rule, the first policy rule belonging to a first policy type and 
^ the second policy rule belonging to a second policy type that differs from the first 

5 policy type; and 

s8 providing an association between the first packet and the common condition where it is 

^ determined that the packet corresponds to the common condition. 

^ V 2. The method of claim 1 , further comprising: 

2 appending an extension to the packet and updating at least a first bit location in the 

3 extension to provide the association between the packet and the common 

4 condition. 

1 3. The method of claim 1 , further comprising: 

2 determining whether the packet corresponds to a first particular condition for the first 

3 policy rule as compared to the second policy rale; and 

4 determining applicability of the first policy rule to the packet where it is determined that 
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5 



the common condition and the first particular condition correspond to the packet. 



1 4. The method of claim 3, further comprising: 

2 appending an extension to the packet; 

3 updating at least a first bit location in the extension to provide the association between 

4 the packet and the common condition; and 

5 updatmg at least a second bit location in the extension to provide the association between 
^ the packet and the first particular condition. 

5. The method of claim 3, wherein determining apphcability of the first policy rule to the 
li packet comprises: 

^ traversing a rule tree corresponding to the first policy rale, the rale tree having a first path 

corresponding to the first rale, the first path including the common condition and 
^ the first particular condition, wherein presence of the common condition and the 

6 first particular condition prompts a determination that the first pohcy rale is 

7 applicable to the packet. 

1 6. The method of claim 1, wherein the first policy type is a firewall policy and the second 

2 policy type is a quality of service pohcy. 

1 7. The method of claim 1, wherein the first and second pohcy types are selected from the 

2 following pohcy types: firewall, quahty of service, intrusion detection. 
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1 8. The method of claim 1 , further comprising: 

2 creating a session for a plurality of session related packets including the packet; and 

3 determining whether the packet corresponds to the common condition as evidenced from 

4 the created session. 

1 9. The method of claim 8, further comprising: 

a updating at least a furst bit location in an extension for each of the plurahty of session 

U related packets to associate each of the plurality of session related packets to the 
common condition. 

10. The method ofclaim 3, further comprising: 

fl creating a session for a plurahty of session related packets including the packet; and 

3 determining whether the packet corresponds to the first particular condition as evidenced 

4 from the created session. 

1 11. The method of claim 10, ftirther comprising: 

2 updating at least a first bit location in an extension for each of the plurality of session 

3 related packets to associate each of the plurahty of session related packets to the 

4 first particular condition. 

1 12. The method of claim 3, further comprising: 



40 

Case No, 19567-05719 



2 determining whether the packet corresponds to a second particular condition for the 

3 second policy rule as compared to the first pohcy rale; and 

4 determining appUcability of the second policy rale to the packet where it is determined 

5 that the common condition and the second particular condition correspond to the 

6 packet. 

1 13. The method of claim 12, wherein determining applicability of the first policy rale and the 

O second pohcy rale to the packet comprises: 

IS traversing a rale tree corresponding to the first pohcy rale and the second policy rale, the 

fIJ 

]i rale tree having a first path corresponding to the first rale and a second path 

corresponding to the second rale, the first path including the common condition 

a 

r| and the first particular condition, the second path including the common condition 

: s 

Sas: 

^3 and the second particular condition, wherein presence of the common condition 

rg- and the first particular condition prompts a determination that the first policy rale 

9 is applicable to the packet, and presence of the common condition and the second 

10 particular condition prompts a determination that the second pohcy rale is 

1 1 applicable to the packet. 

1 14. An apparatus for enforcing a plurality of different policies on a stream of packets, the 

2 apparatus comprising: 

3 means for receiving a packet; 

4 means for determining whether the packet corresponds to a common condition for a first 
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5 policy rule and a second policy rule, the first policy rule belonging to a first policy 

6 type and the second policy rule belonging to a second policy type that differs from 

7 the first policy type; and 

8 means for providing an association between the first packet and the common condition 

9 where it is determined that the packet corresponds to the common condition. 

1 15. The apparatus of claim 14, fiirther comprising: 

Il means for appending an extension to the packet and updating at least a first bit location in 

3 the extension to provide the association between the packet and the common 

jl condition. 

ill 

0, 16. The apparatus of claim 14, fiirther comprising: 

^3 means for determining whether the packet corresponds to a first particular condition for 
fl| the first policy rule as compared to the second poHcy rule, determining 

4 applicability of the first policy rule to the packet where it is determined that the 

5 common condition and the first particular condition correspond to the packet. 

1 17. The apparatus of claim 16, fiirther comprising: 

2 means for appending an extension to the packet, updating at least a first bit location in the 

3 extension to provide the association between the packet and the common 

4 condition, and updating at least a second bit location in the extension to provide 

5 the association between the packet and the first particular condition. 
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1 18. The apparatus of claim 16, wherein determining applicability of the first policy rule to the 

2 packet comprises traversing a rule tree corresponding to the first policy rule, the rule tree having 

3 a first path corresponding to the first rule, the first path including the common condition and the 

4 first particular condition, wherein presence of the common condition and the first particular 

5 condition prompts a determination that the first policy rule is applicable to the packet. 

3s a! 

ti 19. The apparatus of claim 14, wherein the first policy type is a firewall pohcy and the 

y second poUcy type is a quality of service policy. 

¥ 20. The apparatus of claim 14, wherein the first and second poUcy types are selected fi-om the 

y following pohcy types: firewall, quality of service, intrusion detection. 

"h. S 

Si 21 . The apparatus of claim 14, fiirther comprising: 

2 means for creating a session for a plurality of session related packets including the 

3 packet, and determining whether the packet corresponds to the common condition 

4 as evidenced firom the created session. 

1 22. The apparatus of claim 21, wherein the means for creating a session updates at least a 

2 first bit location in an extension for each of the plurality of session related packets to associate 

3 each of the plurality of session related packets to the common condition. 
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1 23. The apparatus of claim 16, further comprising: 

2 means for creating a session for a plurality of session related packets including the 

3 packet, and determining whether the packet corresponds to the first particular 

4 condition as evidenced jfrom the created session. 

1 24. The apparatus of claim 23, wherein the means for creating a session updates at least a 



51 first bit location in an extension for each of the plurality of session related packets to associate 
IS each of the plurality of session related packets to the first particular condition. 

m 25. The apparatus of claim 16, further comprising: 

Pf means for determining whether the packet corresponds to a second particular condition 

for the second policy rule as compared to the first policy rule, and determining 
5| applicability of the second policy rule to the packet where it is determined that the 

5 common condition and the second particular condition correspond to the packet. 

1 26. The apparatus of claim 25, wherein determining apphcabihty of the first poUcy rule and 

2 the second policy rule to the packet comprises traversing a rule tree corresponding to the first 

3 policy rule and the second policy rule, the rule tree having a first path corresponding to the first 

4 rule and a second path corresponding to the second rule, the first path including the common 

5 condition and the first particular condition, the second path including the common condition and 

6 the second particular condition, wherein presence of the common condition and the first 
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7 particular condition prompts a determination that the first pohcy rule is applicable to the packet, 

8 and presence of the common condition and the second particular condition prompts a 

9 detemiination that the second policy rule is applicable to the packet. 

1 27. An apparatus for enforcing a plurality of different policies on a stream of packets, the 

2 apparatus comprising: 

3 an infrastructure packet processing module group, which receives a packet; determines 

ss-5: 

m whether the packet corresponds to a common condition for a first policy rule and 

IS a second policy rule, the first pohcy rule belonging to a &st policy type and the 

If second poUcy rule belonging to a second policy type that differs from the first 

3=S» 

policy type, and provides an association between the first packet and the common 
3 condition where it is determined that the packet corresponds to the common 

condition. 

1 28. The apparatus of claim 27, wherein the infrastructure packet processing module group 

2 appends an extension to the packet and updating at least a first bit location in the extension to 

3 provide the association between the packet and the common condition. 

1 29. The apparatus of claim 27, finther comprising: 

2 a first policy processing module, in communication with the infrastructure packet 

3 processing module group, which determines whether the packet corresponds to a 

4 first particular condition for the first policy rule as compared to the second pohcy 
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5 rule, and determines applicability of the first policy rale to the packet where it is 

6 determined that the common condition and the first particular condition 

7 correspond to the packet. 

1 30. The apparatus of claim 29, wherein the infirastracture packet processing module group 

2 appends an extension to the packet, updates at least a first bit location in the extension to provide 

3 the association between the packet and the common condition, and updates at least a second bit 
® location in the extension to provide the association between the packet and the first particular 

condition. 

tfl 3 1 . The apparatus of claim 29, wherein determining appUcability of the first policy rale to the 

^ packet comprises traversing a rule tree corresponding to the first policy mle, the rale tree having 

S a first path corresponding to the first rale, the first path including the common condition and the 

H first particular condition, wherein presence of the common condition and the first particular 

5 condition prompts a determination that the first poUcy rale is applicable to the packet. 

1 32. The apparatus of claim 27, wherein the first policy type is a firewall pohcy and the 

2 second policy type is a quality of service policy. 

1 33. The apparatus of claim 27, wherein the first and second policy types are selected fi-om the 

2 following policy types: firewall, quaUty of service, intrasion detection. 
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1 34. The apparatus of claim 27, wherein the infrastructure packet processing poHcy module 

2 group comprises: 

3 a session manager, which creates a session for a plurality of session related packets 

4 including the packet, and determines whether the packet corresponds to the 

5 common condition as evidenced from the created session. 

Cp 35. The apparatus of claim 34, wherein the session manager updates at least a first bit 



^ location in an extension for each of the pkirality of session related packets to associate each of 
I the plurality of session related packets to the common condition. 



ft 36. The apparatus of claim 29, wherein the infrastructure packet processing module group 

12^ comprises: 

m a session manager, which creates a session for a pluraKty of session related packets 

4 including the packet, and determines whether the packet corresponds to the first 

5 particular condition as evidenced from the created session. 

1 37. The apparatus of claim 36, wherein the session manager updates at least a first bit 

2 location in an extension for each of the plurality of session related packets to associate each of 

3 the plurality of session related packets to the first particular condition. 

1 38. The apparatus of claim 29, wherein the infrastructure packet policy module group 
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determines whether the packet corresponds to a second particular condition for the second policy 
rule as compared to the first policy rule, and determines appUcability of the second policy rule to 
the packet where it is determined that the common condition and the second particular condition 
correspond to the packet. 

39. The apparatus of claim 38, wherein determining applicability of the first policy rule and 
the second poUcy rule to the packet comprises traversing a rule tree corresponding to the first 
policy rule and the second poUcy rule, the rule tree having a first path corresponding to the first 
rule and a second path corresponding to the second rule, the fnst path including the common 
condition and the first particular condition, the second path including the common condition and 
the second particular condition, wherein presence of the common condition and the first 
particular condition prompts a determination that the first policy rule is applicable to the packet, 
and presence of the common condition and the second particular condition prompts a 
determination that the second policy rule is applicable to the packet. 
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